Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 16 May 2007 21:20:10 GMT
From:      Ariff Abdullah <ariff@FreeBSD.org>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: kern/112671: [if_tap] stat /dev/tapN leads to panic for N >= 2G
Message-ID:  <200705162120.l4GLKAs3034836@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

The following reply was made to PR kern/112671; it has been noted by GNATS.

From: Ariff Abdullah <ariff@FreeBSD.org>
To: bug-followup@FreeBSD.org, osd@cs.unibo.it
Cc:  
Subject: Re: kern/112671: [if_tap] stat /dev/tapN leads to panic for N >= 2G
Date: Thu, 17 May 2007 05:10:46 +0800

 This is a multi-part message in MIME format.
 
 --Multipart=_Thu__17_May_2007_05_10_46_+0800_//OmptO1D13lMuyR
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: 7bit
 
 Well, I'm not really sure if this is all about signess or simply
 because dev_stdclone() itself fail to do correct checking on
 unit > 0xffffff (it should be CLONE_UNITMASK which is 0xfffff, no?),
 obviously an overflow against clone_create(). It could be argued that
 the caller would later strip and truncate it, but there are few other
 drivers (notably snp(4)) which innocently proceed without any
 tinkering.
 
 Anyway, try this patch. It should help other dev_stdclone() users too.
 
 --
 Ariff Abdullah
 FreeBSD
 
 ... Recording in stereo is obviously too advanced
     and confusing for us idiot ***** users :P ........
 
 --Multipart=_Thu__17_May_2007_05_10_46_+0800_//OmptO1D13lMuyR
 Content-Type: text/x-diff;
  name="kern_conf.c.diff"
 Content-Disposition: attachment;
  filename="kern_conf.c.diff"
 Content-Transfer-Encoding: 7bit
 
 Index: src/sys/kern/kern_conf.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/kern/kern_conf.c,v
 retrieving revision 1.201
 diff -u -r1.201 kern_conf.c
 --- src/sys/kern/kern_conf.c	2 Feb 2007 22:27:45 -0000	1.201
 +++ src/sys/kern/kern_conf.c	16 May 2007 20:05:51 -0000
 @@ -763,7 +763,7 @@
  		u *= 10;
  		u += name[i++] - '0';
  	}
 -	if (u > 0xffffff)
 +	if (u > CLONE_UNITMASK)
  		return (0);
  	*unit = u;
  	if (namep)
 
 --Multipart=_Thu__17_May_2007_05_10_46_+0800_//OmptO1D13lMuyR--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705162120.l4GLKAs3034836>